Authenticate a user | Elasticsearch API (v8)

Authenticate a user Added in 5.5.0

GET /_security/_authenticate

Authenticates a user and returns information about the authenticated user. Include the user information in a basic auth header. A successful call returns a JSON structure that shows user information such as their username, the roles that are assigned to the user, any assigned metadata, and information about the realms that authenticated and authorized the user. If the user cannot be authenticated, this API returns a 401 status code.

Responses

200 application/json
Hide response attributes Show response attributes object
- api_key object
  
  Additional properties are allowed.
  
  Hide api_key attributes Show api_key attributes object
  
  creation number
  
  Creation time for the API key in milliseconds.
  
  expiration number
  
  Expiration time for the API key in milliseconds.
  
  id string Required
  
  invalidated boolean
  
  Invalidation status for the API key. If the key has been invalidated, it has a value of true. Otherwise, it is false.
  
  name string Required
  
  realm string
  
  Realm name of the principal for which this API key was created.
  
  realm_type string
  
  Realm type of the principal for which this API key was created
  
  username string
  
  profile_uid string
  
  The profile uid for the API key owner principal, if requested and if it exists
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  role_descriptors object
  
  The role descriptors assigned to this API key when it was created or last updated. An empty role descriptor means the API key inherits the owner user’s permissions.
  
  Hide role_descriptors attribute Show role_descriptors attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Additional properties are allowed.
  
  names string | array[string] Required
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  One of:
  array-1 array[object] _types:GlobalPrivilege object
  
  Additional properties are allowed.
  
  applications array[object]
  
  A list of application privilege entries
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  limited_by array[object]
  
  The owner user’s permissions associated with the API key. It is a point-in-time snapshot captured at creation and subsequent updates. An API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.
  
  Hide limited_by attribute Show limited_by attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Additional properties are allowed.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  One of:
  array-1 array[object] _types:GlobalPrivilege object
  
  Additional properties are allowed.
  
  applications array[object]
  
  A list of application privilege entries
  
  Additional properties are allowed.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  _sort array[number | string | boolean | null | object]
  
  A field value.
  
  One of:
  _types:FieldValue number _types:FieldValue number _types:FieldValue string _types:FieldValue boolean _types:FieldValue string | null _types:FieldValue object
  
  Additional properties are allowed.
- authentication_realm object Required
  
  Additional properties are allowed.
  
  Hide authentication_realm attributes Show authentication_realm attributes object
  
  name string Required
  
  type string Required
- email string | null
  
  One of:
  string-1 string string-2 string | null
- full_name string | null
  
  One of:
  _types:Name string string-2 string | null
- lookup_realm object Required
  
  Additional properties are allowed.
  
  Hide lookup_realm attributes Show lookup_realm attributes object
  
  name string Required
  
  type string Required
- metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
- roles array[string] Required
- username string Required
- enabled boolean Required
- authentication_type string Required
- token object
  
  Additional properties are allowed.
  
  Hide token attributes Show token attributes object
  
  name string Required
  
  type string

GET /_security/_authenticate

curl \
 -X GET http://api.example.com/_security/_authenticate

Response examples (200)

{
  "api_key": {
    "creation": 42.0,
    "expiration": 42.0,
    "id": "string",
    "invalidated": true,
    "name": "string",
    "realm": "string",
    "realm_type": "string",
    "username": "string",
    "profile_uid": "string",
    "metadata": {
      "additionalProperty1": {},
      "additionalProperty2": {}
    },
    "role_descriptors": {
      "additionalProperty1": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "field_security": {},
            "names": "string",
            "privileges": [
              "string"
            ],
            "allow_restricted_indices": true
          }
        ],
        "global": [
          {}
        ],
        "applications": [
          {
            "application": "string",
            "privileges": [
              "string"
            ],
            "resources": [
              "string"
            ]
          }
        ],
        "metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        },
        "run_as": [
          "string"
        ],
        "description": "string",
        "transient_metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        }
      },
      "additionalProperty2": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "field_security": {},
            "names": "string",
            "privileges": [
              "string"
            ],
            "allow_restricted_indices": true
          }
        ],
        "global": [
          {}
        ],
        "applications": [
          {
            "application": "string",
            "privileges": [
              "string"
            ],
            "resources": [
              "string"
            ]
          }
        ],
        "metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        },
        "run_as": [
          "string"
        ],
        "description": "string",
        "transient_metadata": {
          "additionalProperty1": {},
          "additionalProperty2": {}
        }
      }
    },
    "limited_by": [
      {
        "additionalProperty1": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        },
        "additionalProperty2": {
          "cluster": [
            "string"
          ],
          "indices": [
            {}
          ],
          "global": [
            {}
          ],
          "applications": [
            {}
          ],
          "metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          },
          "run_as": [
            "string"
          ],
          "description": "string",
          "transient_metadata": {
            "additionalProperty1": {},
            "additionalProperty2": {}
          }
        }
      }
    ],
    "_sort": [
      42.0
    ]
  },
  "authentication_realm": {
    "name": "string",
    "type": "string"
  },
  "email": "string",
  "full_name": "string",
  "lookup_realm": {
    "name": "string",
    "type": "string"
  },
  "metadata": {
    "additionalProperty1": {},
    "additionalProperty2": {}
  },
  "roles": [
    "string"
  ],
  "username": "string",
  "enabled": true,
  "authentication_type": "string",
  "token": {
    "name": "string",
    "type": "string"
  }
}

Authenticate a user Added in 5.5.0

Responses

global array[object] | object

global array[object] | object

email string | null

full_name string | null